cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1656
Views
0
Helpful
7
Replies

Configuring a Site-to-Site VPN Tunnel Between Cisco RV320 Gigabit Dual WAN VPN Router and Cisco (1900/2900/3900) Series Integrated Services Router

bennyPeoples
Level 1
Level 1

hi,

 

have set up two routers for ipsec vpn is see the folowing on R1:

R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
x.x.x.241   x.x.x.197  QM_IDLE           1007 ACTIVE

IPv6 Crypto ISAKMP SA

 

and on the routers R1LnkOever:

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
x.x.x.241   x.x.x.197  QM_IDLE           1001 ACTIVE

IPv6 Crypto ISAKMP SA

 

as you can see both showing same destination and source, i think this must be reversed on R1:

Any idea how i can solve this issue?

 

I get some the following output on R1:

R1#sh crypto ipsec sa

interface: GigabitEthernet0/1
    Crypto map tag: VPN-C-MAP, local addr x.x.x.241

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.11.0/255.255.255.0/0/0)
   current_peer 213.224.38.197 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 395, #pkts encrypt: 395, #pkts digest: 395
    #pkts decaps: 393, #pkts decrypt: 393, #pkts verify: 393
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: x.x.x.241, remote crypto endpt.: x.x.x197
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0                                                                                                             /1
     current outbound spi: 0x4A2B41CA(1244348874)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x560CE67F(1443686015)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: Onboard VPN:1, sibling_flags 80000040, crypto map: VPN-C-MAP
        sa timing: remaining key lifetime (k/sec): (4282484/2463)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0x4A2B41CA(1244348874)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: Onboard VPN:2, sibling_flags 80000040, crypto map: VPN-C-MAP
        sa timing: remaining key lifetime (k/sec): (4282463/2463)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
     outbound ah sas:
     outbound pcp sas:

 

 

and on R1LnkOever:

R1LnkOever#sh crypto ipsec sa

interface: Dialer1
    Crypto map tag: VPN-C-MAP, local addr x.x.x.197

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.11.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer x.x.x.241 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 487, #pkts encrypt: 487, #pkts digest: 487
    #pkts decaps: 480, #pkts decrypt: 480, #pkts verify: 480
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 213.224.38.197, remote crypto endpt.: 81.82.234.241
     plaintext mtu 1422, path mtu 1492, ip mtu 1492, ip mtu idb Dialer1
     current outbound spi: 0x560CE67F(1443686015)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x4A2B41CA(1244348874)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: Onboard VPN:1, sibling_flags 80004040, crypto ma                                                                                                             p: VPN-C-MAP
        sa timing: remaining key lifetime (k/sec): (4287720/2355)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x560CE67F(1443686015)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: Onboard VPN:2, sibling_flags 80004040, crypto ma                                                                                                             p: VPN-C-MAP
        sa timing: remaining key lifetime (k/sec): (4287738/2355)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

 

 

Hope someone can help me

2 Accepted Solutions

Accepted Solutions

yes this is correct, i also find my problem :-)

i was pinging from the routers itself and not from a pc. it is working wel from the desktops in the networks.

 

Thank you for the support!

Best regards,

Benny

View solution in original post

That´s great. Then, please change the status to resolved so that you can help others find solution.

 

 

 

 

 

-If I helped you somehow, please, rate it as useful.-

View solution in original post

7 Replies 7

Hi @bennyPeoples

Try to run "clear crypto isakmp sa" and force tunnel to go up again. As per the ipsec sa, config looks ok.

 

 

 

-If I helped you somehow, please, rate it as useful.-

Hi,

 

that does not work, but how the traffic knows where to go do i need to setup some static routes for the nv1 or so?

 This i see when i run sh access-lists

Extended IP access list 100
    10 deny ip 192.168.1.0 0.0.0.255 192.168.11.0 0.0.0.255 (1101 matches)
    20 permit ip 192.168.1.0 0.0.0.255 any (14577 matches)

Extended IP access list VPN-ACL
    10 permit ip 192.168.1.0 0.0.0.255 192.168.11.0 0.0.0.255 (1101 matches)

 

 i see that the access-lists are working as they should?

Also on the other router :

Extended IP access list 100
    10 deny ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255 (1122 matches)
    20 permit ip 192.168.11.0 0.0.0.255 any (1782 matches)
Extended IP access list VPN-ACL
    10 permit ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255 (1127 matches)

 

Thanx

 You need routes for sure. You don't need route for the encrypted traffic however.

But, you need to permit both internal network on the crypto map.

 

 

 

-If I helped you somehow, please, rate it as useful.-

I did so i think without succes no ping possible after clearing vpn tunnel.

On

R1LnkOever:sh crypto map
        Interfaces using crypto map NiStTeSt1:

Crypto Map IPv4 "VPN-C-MAP" 10 ipsec-isakmp
        Peer = x.x.x.241
        Extended IP access list VPN-ACL
            access-list VPN-ACL permit ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255
            access-list VPN-ACL permit ip 192.168.1.0 0.0.0.255 192.168.11.0 0.0.0.255
        Current peer: x.x.x.241
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Mixed-mode : Disabled
        Transform sets={
                VPN-TS:  { esp-aes esp-sha-hmac  } ,
        }
        Interfaces using crypto map VPN-C-MAP:
                Dialer1

 

 

On R1:# sh crypto map
        Interfaces using crypto map NiStTeSt1:

Crypto Map IPv4 "VPN-C-MAP" 10 ipsec-isakmp
        Peer = x.x.x.197
        Extended IP access list VPN-ACL
            access-list VPN-ACL permit ip 192.168.1.0 0.0.0.255 192.168.11.0 0.0.0.255
            access-list VPN-ACL permit ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255
        Current peer: x.x.x.197
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Mixed-mode : Disabled
        Transform sets={
                VPN-TS:  { esp-aes esp-sha-hmac  } ,
        }
        Interfaces using crypto map VPN-C-MAP:
                GigabitEthernet0/1

"Interfaces using crypto map VPN-C-MAP:
                Dialer1"

Is this correct?  Are you using which access medium for R1LnkOever ?

 

 

 

 

-If I helped you somehow, please, rate it as useful.-

yes this is correct, i also find my problem :-)

i was pinging from the routers itself and not from a pc. it is working wel from the desktops in the networks.

 

Thank you for the support!

Best regards,

Benny

That´s great. Then, please change the status to resolved so that you can help others find solution.

 

 

 

 

 

-If I helped you somehow, please, rate it as useful.-

Review Cisco Networking for a $25 gift card