Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1617
Views
0
Helpful
7
Replies

Configuring a Site-to-Site VPN Tunnel Between Cisco RV320 Gigabit Dual WAN VPN Router and Cisco (1900/2900/3900) Series Integrated Services Router

Go to solution
bennyPeoples
Level 1
Level 1

‎11-09-2017 04:41 AM - edited ‎02-21-2020 06:42 AM

hi,

 

have set up two routers for ipsec vpn is see the folowing on R1:

R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
x.x.x.241   x.x.x.197  QM_IDLE           1007 ACTIVE

IPv6 Crypto ISAKMP SA

 

and on the routers R1LnkOever:

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
x.x.x.241   x.x.x.197  QM_IDLE           1001 ACTIVE

IPv6 Crypto ISAKMP SA

 

as you can see both showing same destination and source, i think this must be reversed on R1:

Any idea how i can solve this issue?

 

I get some the following output on R1:

R1#sh crypto ipsec sa

interface: GigabitEthernet0/1
    Crypto map tag: VPN-C-MAP, local addr x.x.x.241

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.11.0/255.255.255.0/0/0)
   current_peer 213.224.38.197 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 395, #pkts encrypt: 395, #pkts digest: 395
    #pkts decaps: 393, #pkts decrypt: 393, #pkts verify: 393
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: x.x.x.241, remote crypto endpt.: x.x.x197
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0                                                                                                             /1
     current outbound spi: 0x4A2B41CA(1244348874)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x560CE67F(1443686015)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: Onboard VPN:1, sibling_flags 80000040, crypto map: VPN-C-MAP
        sa timing: remaining key lifetime (k/sec): (4282484/2463)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0x4A2B41CA(1244348874)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: Onboard VPN:2, sibling_flags 80000040, crypto map: VPN-C-MAP
        sa timing: remaining key lifetime (k/sec): (4282463/2463)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
     outbound ah sas:
     outbound pcp sas:

 

 

and on R1LnkOever:

R1LnkOever#sh crypto ipsec sa

interface: Dialer1
    Crypto map tag: VPN-C-MAP, local addr x.x.x.197

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.11.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer x.x.x.241 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 487, #pkts encrypt: 487, #pkts digest: 487
    #pkts decaps: 480, #pkts decrypt: 480, #pkts verify: 480
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 213.224.38.197, remote crypto endpt.: 81.82.234.241
     plaintext mtu 1422, path mtu 1492, ip mtu 1492, ip mtu idb Dialer1
     current outbound spi: 0x560CE67F(1443686015)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x4A2B41CA(1244348874)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: Onboard VPN:1, sibling_flags 80004040, crypto ma                                                                                                             p: VPN-C-MAP
        sa timing: remaining key lifetime (k/sec): (4287720/2355)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x560CE67F(1443686015)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: Onboard VPN:2, sibling_flags 80004040, crypto ma                                                                                                             p: VPN-C-MAP
        sa timing: remaining key lifetime (k/sec): (4287738/2355)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

 

 

Hope someone can help me

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
bennyPeoples
Level 1
Level 1
In response to Flavio Miranda

‎11-09-2017 05:58 AM

yes this is correct, i also find my problem :-)

i was pinging from the routers itself and not from a pc. it is working wel from the desktops in the networks.

 

Thank you for the support!

Best regards,

Benny

View solution in original post

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to bennyPeoples

‎11-09-2017 06:02 AM

That´s great. Then, please change the status to resolved so that you can help others find solution.

 

 

 

 

 

-If I helped you somehow, please, rate it as useful.-

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Flavio Miranda
VIP
VIP

‎11-09-2017 05:02 AM

Hi @bennyPeoples

Try to run "clear crypto isakmp sa" and force tunnel to go up again. As per the ipsec sa, config looks ok.

 

 

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful

Go to solution
bennyPeoples
Level 1
Level 1
In response to Flavio Miranda

‎11-09-2017 05:19 AM - edited ‎11-09-2017 05:24 AM

Hi,

 

that does not work, but how the traffic knows where to go do i need to setup some static routes for the nv1 or so?

 This i see when i run sh access-lists

Extended IP access list 100
    10 deny ip 192.168.1.0 0.0.0.255 192.168.11.0 0.0.0.255 (1101 matches)
    20 permit ip 192.168.1.0 0.0.0.255 any (14577 matches)

Extended IP access list VPN-ACL
    10 permit ip 192.168.1.0 0.0.0.255 192.168.11.0 0.0.0.255 (1101 matches)

 

 i see that the access-lists are working as they should?

Also on the other router :

Extended IP access list 100
    10 deny ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255 (1122 matches)
    20 permit ip 192.168.11.0 0.0.0.255 any (1782 matches)
Extended IP access list VPN-ACL
    10 permit ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255 (1127 matches)

 

Thanx

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to bennyPeoples

‎11-09-2017 05:25 AM

 You need routes for sure. You don't need route for the encrypted traffic however.

But, you need to permit both internal network on the crypto map.

 

 

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful

Go to solution
bennyPeoples
Level 1
Level 1
In response to Flavio Miranda

‎11-09-2017 05:43 AM - edited ‎11-09-2017 05:44 AM

I did so i think without succes no ping possible after clearing vpn tunnel.

On

R1LnkOever:sh crypto map
        Interfaces using crypto map NiStTeSt1:

Crypto Map IPv4 "VPN-C-MAP" 10 ipsec-isakmp
        Peer = x.x.x.241
        Extended IP access list VPN-ACL
            access-list VPN-ACL permit ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255
            access-list VPN-ACL permit ip 192.168.1.0 0.0.0.255 192.168.11.0 0.0.0.255
        Current peer: x.x.x.241
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Mixed-mode : Disabled
        Transform sets={
                VPN-TS:  { esp-aes esp-sha-hmac  } ,
        }
        Interfaces using crypto map VPN-C-MAP:
                Dialer1

 

 

On R1:# sh crypto map
        Interfaces using crypto map NiStTeSt1:

Crypto Map IPv4 "VPN-C-MAP" 10 ipsec-isakmp
        Peer = x.x.x.197
        Extended IP access list VPN-ACL
            access-list VPN-ACL permit ip 192.168.1.0 0.0.0.255 192.168.11.0 0.0.0.255
            access-list VPN-ACL permit ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255
        Current peer: x.x.x.197
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Mixed-mode : Disabled
        Transform sets={
                VPN-TS:  { esp-aes esp-sha-hmac  } ,
        }
        Interfaces using crypto map VPN-C-MAP:
                GigabitEthernet0/1

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to bennyPeoples

‎11-09-2017 05:54 AM

"Interfaces using crypto map VPN-C-MAP:
                Dialer1"

Is this correct?  Are you using which access medium for R1LnkOever ?

 

 

 

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful

Go to solution
bennyPeoples
Level 1
Level 1
In response to Flavio Miranda

‎11-09-2017 05:58 AM

yes this is correct, i also find my problem :-)

i was pinging from the routers itself and not from a pc. it is working wel from the desktops in the networks.

 

Thank you for the support!

Best regards,

Benny

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to bennyPeoples

‎11-09-2017 06:02 AM

That´s great. Then, please change the status to resolved so that you can help others find solution.

 

 

 

 

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card