Re: IPsec site to site VPN towards Virtual IP address

nishakhanal · ‎03-14-2021

Hello,

Please help.

I am trying to create VPN towards Virtual IP (AS i am try this in cisco router which is in HSRP) but the VPN status is down and I am getting many error logs. I have upload lab and errors.

balaji.bandi · ‎03-14-2021

%CRYPTO-6-IKMP_NO_PRESHARED_KEY: Pre-shared key for remote peer

as per this message, some configuration missing - post complete configuration of all devices to understand or follow the below Blog and check the configuration.

https://blog.ine.com/2008/11/06/ipsec-vpn-high-availability-with-hsrp

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

nishakhanal · ‎03-14-2021

Here is config file of VPN-RTR1 and Branch1 RTR. In VPN-RTR1 zip there is both files of VPN-RTR1 and Branch config.

Thank you for your quick action and response.

Sheraz.Salim · ‎03-14-2021

on both router you have access-list as both routers
"ip access-list extended VPN-TRAFFIC
permit ip any any"

and on the branch router interface gig1/0 does not have the ip address configured.

"interface GigabitEthernet1/0
no ip address
negotiation auto
crypto map CMAP"

you need to be specific what traffic you want to sent to the tunnel.

===============================
Interface: GigabitEthernet1/0
Session status: DOWN
Peer: 192.168.1.250 port 500
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 0, origin: crypto map

Interface: GigabitEthernet1/0.300
Session status: DOWN-NEGOTIATING
Peer: 172.16.1.2 port 500
IKE SA: local 172.16.1.1/500 remote 172.16.1.2/500 Inactive

please do not forget to rate.

nishakhanal · ‎03-14-2021

Hello,

I had tried by apply specific ACL. but it does not work.

And about in branch router i have use sub-interface and applied ip address in sub-interface.

nishakhanal · ‎03-14-2021

Hello any help!!

nishakhanal · ‎03-14-2021

Hello I have attached the file of Branch and VPN-RTR config files.

Thank you.

Sheraz.Salim · ‎03-14-2021

can you try with this.

Branch1

!

!
crypto map CMAP 10 ipsec-isakmp
set peer 192.168.1.250
set transform-set TS
match address VPN-TRAFFIC1
!
crypto map CMAP1 10 ipsec-isakmp
set peer 172.16.1.250
set transform-set TS
match address VPN-TRAFFIC2
!

ip access-list extended VPN-TRAFFIC1
permit ip 10.10.10.0 0.0.0.255 192.168.2.0 0.0.0.255

permit ip 10.10.20.0 0.0.0.255 192.168.2.0 0.0.0.255
!
ip access-list extended VPN-TRAFFIC2
permit ip 10.10.10.0 0.0.0.255 192.168.2.0 0.0.0.255

permit ip 10.10.20.0 0.0.0.255 192.168.2.0 0.0.0.255
!

VPN-RTR1

!

crypto map CMAP 10 ipsec-isakmp
set peer 192.168.1.1
set transform-set TS
match address VPN-TRAFFIC1
!
crypto map CMAP1 10 ipsec-isakmp
set peer 172.16.1.1
set transform-set TS
match address VPN-TRAFFIC2

!

!
ip access-list extended VPN-TRAFFIC1
permit ip 192.168.2.0 0.0.0.255 10.10.10.0 0.0.0.255

permit ip 192.168.2.0 0.0.0.255 10.10.20.0 0.0.0.255
!
ip access-list extended VPN-TRAFFIC2
permit ip 192.168.2.0 0.0.0.255 10.10.10.0 0.0.0.255

permit ip 192.168.2.0 0.0.0.255 10.10.20.0 0.0.0.255

And put the both debug of the routers.

please do not forget to rate.

nishakhanal · ‎03-14-2021

Hello,

I try it but it does not work.

Sheraz.Salim · ‎03-14-2021

here. try this it will work as i have tested this in my lab

VPN-RTR1
!
crypto isakmp key firewallcx address 192.168.1.1
!
crypto map CMAP 10 ipsec-isakmp 
set peer 192.168.1.1
set transform-set TS 
match address VPN-TRAFFIC1
reverse-route
!
interface GigabitEthernet1/0.200
encapsulation dot1Q 200
ip address 192.168.1.2 255.255.255.0
standby 1 ip 192.168.1.250
standby 1 priority 200
standby 1 preempt
standby 1 name HSRP-VPN
crypto map CMAP redundancy HSRP-VPN
!

VPN-RTR2
!
crypto isakmp key firewallcx address 192.168.1.1
!
crypto map CMAP 10 ipsec-isakmp 
set peer 192.168.1.1
set transform-set TS 
match address VPN-TRAFFIC1
reverse-route
!
interface GigabitEthernet1/0.200
encapsulation dot1Q 200
ip address 192.168.1.X 255.255.255.0
standby 1 ip 192.168.1.250
standby 1 priority 200
standby 1 preempt
standby 1 name HSRP-VPN
crypto map CMAP redundancy HSRP-VPN

Branch
!
crypto isakmp key firewallcx address 192.168.1.250
!
crypto map CMAP 10 ipsec-isakmp 
set peer 192.168.1.250
set transform-set TS 
match address VPN-TRAFFIC
!
interface GigabitEthernet1/0.200
description ***SUBISU-L2_CONN-TO-VPN-RTR-1***
encapsulation dot1Q 200
ip address 192.168.1.1 255.255.255.0
crypto map CMAP

please do not forget to rate.

nishakhanal · ‎03-14-2021

Hello,

I tried this but it does not.

Sheraz.Salim · ‎03-14-2021

Here have a look on this link the is the same scenario as you in and having issue.

you need to define a HSRP name and call this HSRP in crypto map with redundancy command with reverse route.

http://www.techspacekh.com/configuring-high-availability-site-to-site-ipsec-vpn-using-hsrp-with-cisco-routers/

please do not forget to rate.

nishakhanal · ‎03-14-2021

Hello,

I had tried this also but do not work.

Sheraz.Salim · ‎03-15-2021

try this different apporach.

Branch1
!
crypto isakmp key firewallcx address 192.168.1.2
crypto isakmp key firewallcx address 192.168.1.3
crypto isakmp key firewallcx address 172.16.1.2
crypto isakmp key firewallcx address 172.16.1.3
!
crypto map CMAP 10 ipsec-isakmp
set peer 192.168.1.2
set peer 192.168.1.3
set transform-set TS
match address VPN-TRAFFIC1
!
crypto map CMAP1 10 ipsec-isakmp
set peer 172.16.1.2
set peer 172.16.1.3
set transform-set TS
match address VPN-TRAFFIC2
!


leave the HQ as it is. now when one tunnel goes down the other peer will pick up.

please do not forget to rate.

MHM Cisco World · ‎03-14-2021

...